Talos Vulnerability Report

TALOS-2019-0774

April 9, 2019

CVE Number

CVE-2019-7125

Summary

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC 2019.8.20071. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. The vulnerability in this advisory is the same as TALOS-2018-0704, as it wasn't properly patched to cover all cases.

Tested Versions

Adobe Acrobat Reader DC 2019.010.20069

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-194: Unexpected Sign Extension

Details

Adobe Acrobat Reader is the most popular PDF reader on the market currently. It has a large user base and is usually the PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

The only difference to the PoC code in TALOS-2018-0704 is that the size of the array is increased by one. As a matter of fact, any array size larger than 32769 will still trigger the vulnerability in the same way.

The code surrounding the vulnerability is slightly different, but all the necessary elements are largely the same:

In the above output, we can see that user size is now 0xa0014, which is just enough to hold 32,769 elements of size 0x14, but not more. The code still does an improper comparison when checking the size due to sign extension:

As in the TALOS-2018-0704 advisory, the loop continued accessing out-of-bounds memory until it hit an unallocated page. By precisely controlling the contents of the memory directly adjacent to the large chunk of memory allocated by the regular expression object, it is possible to further corrupt the heap which could possibly result in arbitrary code execution.